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This privacy notice applies to users of The Queen’s College IT systems, email and 


telephones/mobile devices 


A summary of what this notice explains 


The Queen’s College (“the College”) is committed to protecting the privacy and security of personal 
data. 


This notice applies to users of the College’s IT systems, email and telephones/mobile devices. It will 
apply to anyone allowed to use such systems, including our staff and students. There are separate 
privacy notices covering the other aspects of processing of staff, student and others’ data, including 
users of the College website, which are available here. 


This notice explains what personal data the College holds about you, how we use it internally, how 
we share it, how long we keep it and what your legal rights are in relation to it. 


For the parts of your personal data that you supply to us to us, this notice also explains the basis on 
which you are required or requested to provide the information. For the parts of your personal 
data that we generate about you, or that we receive from others, it explains the source of the data. 


What is your personal data and how does the law regulate our use of it? 


“Personal data” is information relating to you as a living, identifiable individual. We refer to this 
as “your data”. 


“Processing” your data includes various operations that may be carried out on your data, including 
collecting, recording, organising, using, disclosing, storing and deleting it. 


Data protection law requires us: 


e To process your data in a lawful, fair and transparent way; 

e To only collect your data for explicit and legitimate purposes; 

e To only collect data that is relevant, and limited to the purpose(s) we have told you about; 

e To ensure that your data is accurate and up to date; 

e To ensure that your data is only kept as long as necessary for the purpose(s) we have told 
you about; 

e To ensure that appropriate security measures are used to protect your data. 


Contact Details 
If you need to contact us about your data, please contact: 


The Revd Katherine Price 
Data Protection Officer 


The Queen’s College 
Oxford 
OX1 4AW 


Telephone: 01865 279143 
Email: katherine.price@queens.ox.ac.uk 
Data that you provide to us and the possible consequences of you not providing it 


In most cases the data you provide will be a necessary requirement of using the relevant system (for 
example, you will need a password to access the College’s IT systems). If you do not provide such 
data you will not be able to use the system, and depending on circumstances this may become a 
disciplinary matter that could lead to the termination of your contract with us whether you are an 
employee, or a student. 


Other sources of your data 


Apart from the data that you provide to us, we may also process data about you from a range of 
sources. These include: 


e The University of Oxford, which operates a number of systems that Colleges have access to; 
for example, Student Records suite of systems including, but not limited to, Admissions 
Decision Support System (ADSS), eVision, SITS:Vision, OxCORT, Graduate Supervision 
System (GSS), Degree Conferrals, Core User Directory (CUD), University email system 
(Nexus365), IT Services Registration system; 

e Information that we generate in the course of operating the College’s IT systems; for 
example, electronic point of sale (EPOS) for meal and bar transactions, printing, door access 
logs and CCTV footage; 

e Information which we obtain from third party suppliers; for example, telephone records 
provided by suppliers of telephone systems 

e Information gathered from Network monitoring systems including firewall logs and 
Network Policy Server (NPS) connection logs. 

e Data collected for conference and events purposes either you have given us this data, or a 
third party conference organiser has provided us with information. 


The lawful basis on which we process your data 


The law requires that we provide you with information about the lawful basis on which we process 
your personal data, and for what purposes. 


Most commonly, we will process your data on the following lawful grounds: 


e Where it is necessary for our legitimate interests (or those of a third party) and your 
interests and fundamental rights do not override those interests. 

e Where it is necessary to perform the contract we have entered into with you; 

e Where necessary to comply with a legal obligation; 


We may also use your data, typically in an emergency, where this is necessary to protect your vital 
interests, or someone else’s vital interests. 


How we apply further protection in the case of “special categories” of personal data 


"Special categories" of particularly sensitive personal data require higher levels of protection. We 
need to have further justification for collecting, storing and using this type of personal data. 


The special categories of personal data consist of data revealing: 


e racial or ethnic origin; 

e political opinions; 

e religious or philosophical beliefs; 
e trade union membership. 


They also consist of the processing of: 


e genetic data; 

e biometric data for the purpose of uniquely identifying someone; 
e data concerning health; 

e data concerning someone's sex life or sexual orientation. 


We may process special categories of personal data in the following circumstances: 


e With your explicit written consent; or 
e Where it is necessary in the substantial public interest, in particular: 

o is necessary for the purposes of the prevention or detection of an unlawful act, must 
be carried out without the consent of the data subject so as not to prejudice those 
purposes; or 

o for equal opportunities monitoring; 

e Where the processing is necessary for archiving purposes in the public interest, or for 
scientific or historical research purposes, or statistical purposes, subject to further 
safeguards for your fundamental rights and interests specified in law. 


We have in place an appropriate policy document and/or other safeguards which we are required 
by law to maintain when processing such data. 


Less commonly, we may process this type of data where it is needed in relation to legal claims or 
where it is needed to protect your interests (or someone else's interests) and you are not capable of 


giving your consent, or where you have already made the data public. 


Criminal convictions and allegations of criminal activity 


Further legal controls apply to data relating to criminal convictions and allegations of criminal 
activity. We may process such data on the same grounds as those identified for “special categories” 
referred to above. 


Details of our processing activities, including our lawful basis for processing 


We have prepared a detailed table setting out the processing activities that we undertake, the source 
of the data, the reasons why we process it, how long we keep it and the lawful basis we rely on. 


The table includes detailed information about how and why we process various categories of data, 
and the related lawful basis. It includes monitoring that may occur of use of telephone and IT 
services, including, subject to certain safeguards, email content, internet use and/or telephone 
records for the purpose of ensuring that such services are not used for unlawful purposes, or 
otherwise breach the University’s ICT regulations. Safeguards are set out in the regulations to 
ensure that an individual’s privacy is respected appropriately. The lawful basis for such processing 
is that the College has a legitimate interest in maintaining the integrity of its systems, to investigate 
misuse and in taking action to prevent misuse recurring. 


How we share your data 


We will not sell your data to third parties. We will only share it with third parties if we are allowed 
or required to do so by law. This includes for example where we decide to report alleged criminal 
misconduct to the police. 


All our third party service providers are required to take appropriate security measures to protect 
your personal information in line with our policies, and are only permitted to process your personal 
data for specific purposes in accordance with our instructions. We do not allow our third party 
providers to use your personal data for their own purposes. 


More information on the categories of recipients of your data is set out in a table here. 
Sharing your data outside the European Union 
The law provides various further safeguards where data is transferred outside of the EU. 


When you are resident outside the EU in a country where there is no “adequacy decision” by the 
European Commission, and an alternative safeguard is not available, we may still transfer data to 
you which is necessary for performance of your contract with us (if you are a staff member or 
student). 


Otherwise, we may transfer your data outside the European Union, but only for the purposes 
referred to in this notice and provided either: 


e There is a decision of the European Commission that the level of protection of personal data 
in the recipient country is adequate; or 

e Appropriate safeguards are in place to ensure that your data is treated in accordance with 
UK data protection law, for example through the use of standard contractual clauses; or 

e There is an applicable derogation in law which permits the transfer in the absence of an 
adequacy decision or an appropriate safeguard. 


Automated decision-making 


We do not envisage that any decisions will be taken about you based solely on automated means, 
however we will notify you in writing if this position changes. 


How long we keep your data 
The detailed table of processing activities explains how long we will keep your data. 


If there are legal proceedings, a regulatory, disciplinary or criminal investigation, suspected 
criminal activity, or relevant requests under data protection or freedom of information legislation, 
it may be necessary for us to suspend the deletion of data until the proceedings, investigation or 
request have been fully disposed of. 


Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified 
from such data. 


Your legal rights over your data 
Subject to certain conditions set out in UK data protection law, you have: 


e The right to request access to a copy of your data, as well as to be informed of various 
information about how your data is being used; 

e The right to have any inaccuracies in your data corrected, which may include the right to 
have any incomplete data completed; 

e The right to have your personal data erased in certain circumstances; 

e The right to have the processing of your data suspended, for example if you want us to 
establish the accuracy of the data we are processing. 

e The right to receive a copy of data you have provided to us, and have that transmitted to 
another data controller (for example, another University or College). 

e The right to object to any direct marketing (for example, email marketing or phone calls) 
by us, and to require us to stop such marketing. 

e The right to object to the processing of your information if we are relying on a “legitimate 
interest” for the processing or where the processing is necessary for the performance of a 
task carried out in the public interest. The lawful basis for any particular processing activity 
we carry out is set out in our detailed table of processing activities. 

e The right to object to any automated decision-making about you which produces legal 
effects or otherwise significantly affects you. 

e Where the lawful basis for processing your data is consent, you have the right to withdraw 
your consent at any time. When you tell us you wish to exercise your right, we will stop 
further processing of such data. This will not affect the validity of any lawful processing of 
your data up until the time when you withdrew your consent. You may withdraw your 
consent by contacting the College’s Data Protection Officer. 





Further guidance on your rights is available from the Information Commissioner’s Office 
(https://.ico.org.uk/). You may also wish to contact the College’s Data Protection Officer if you are 
considering how or whether to exercise your rights. 





You have the right to complain to the UK’s supervisory office for data protection, the Information 
Commissioner’s Office if you believe that your data has been processed unlawfully. 


Future changes to this privacy notice, and previous versions 


We may need to update this notice from time to time, for example if the law or regulatory 
requirements change, if technology changes, if the College or the University makes changes to its 
procedures, or to make the College’s operations and procedures more efficient. If the change is 
material, we will give you not less than two months’ notice of the change so that you can decide 
whether to exercise your rights, if appropriate, before the change comes into effect. We will notify 
you of the change by [insert relevant contact method(s)]. 


You can access past versions of our privacy notices here. 
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